From 1435ce5d17665928363d3b6cc86c8cd33a5050f8 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 15 Nov 2016 11:03:37 -0600 Subject: [PATCH] [Doc] Exceptions for LDAP SSL/TLS checks The current version of the RHEL 7 STIG refers to pam_ldap, which is no longer recommended as the method for authenticating to LDAP servers. This patch adds exception documentation that explains sssd to deployers and provides configuration advice. Altering these values via programmatic methods could take an entire environment offline. Implements: blueprint security-rhel7-stig Change-Id: If410d477590f8cb53f279396ba4edf63c5222b78 --- doc/metadata/rhel7/RHEL-07-040180.rst | 12 +++++++++--- doc/metadata/rhel7/RHEL-07-040181.rst | 22 +++++++++++++++++++--- doc/metadata/rhel7/RHEL-07-040182.rst | 22 +++++++++++++++++++--- 3 files changed, 47 insertions(+), 9 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-040180.rst b/doc/metadata/rhel7/RHEL-07-040180.rst index a87ed6d4..e5c805ef 100644 --- a/doc/metadata/rhel7/RHEL-07-040180.rst +++ b/doc/metadata/rhel7/RHEL-07-040180.rst @@ -1,7 +1,13 @@ --- id: RHEL-07-040180 -status: not implemented -tag: misc +status: exception - manual intervention +tag: auth --- -This STIG requirement is not yet implemented. +Deployers are strongly urged to utilize ``sssd`` for systems that authenticate +against LDAP or Active Directory (AD) servers. + +The ldap connector for ``sssd`` connects only to LDAP servers over +encrypted connections. Review the man page for +`sssd-ldap `_ for more details on this +requirement. diff --git a/doc/metadata/rhel7/RHEL-07-040181.rst b/doc/metadata/rhel7/RHEL-07-040181.rst index 3cc43ea2..51d236d5 100644 --- a/doc/metadata/rhel7/RHEL-07-040181.rst +++ b/doc/metadata/rhel7/RHEL-07-040181.rst @@ -1,7 +1,23 @@ --- id: RHEL-07-040181 -status: not implemented -tag: misc +status: exception - manual intervention +tag: auth --- -This STIG requirement is not yet implemented. +Deployers are strongly urged to utilize ``sssd`` for systems that authenticate +against LDAP or Active Directory (AD) servers. + +To meet this control, deployers must ensure that ``ldap_tls_cacert`` or +``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The +``ldap_tls_cacert`` directive specifies a single certificate while +``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA +certificates. + +.. warning:: + + Use caution when adjusting these settings. If the correct CA certificates + are not already deployed to the servers that perform LDAP authentication, + their attempts to authenticate users might fail. + + Consult with administrators of the LDAP system and test all changes on + a non-production system first. diff --git a/doc/metadata/rhel7/RHEL-07-040182.rst b/doc/metadata/rhel7/RHEL-07-040182.rst index 91707d77..ed1b6308 100644 --- a/doc/metadata/rhel7/RHEL-07-040182.rst +++ b/doc/metadata/rhel7/RHEL-07-040182.rst @@ -1,7 +1,23 @@ --- id: RHEL-07-040182 -status: not implemented -tag: misc +status: exception - manual intervention +tag: auth --- -This STIG requirement is not yet implemented. +Deployers are strongly urged to utilize ``sssd`` for systems that authenticate +against LDAP or Active Directory (AD) servers. + +To meet this control, deployers must ensure that ``ldap_tls_cacert`` or +``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The +``ldap_tls_cacert`` directive specifies a single certificate while +``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA +certificates. + +.. warning:: + + Use caution when adjusting these settings. If the correct CA certificates + are not already deployed to the servers that perform LDAP authentication, + their attempts to authenticate users might fail. + + Consult with administrators of the LDAP system and test all changes on + a non-production system first.